Skip to main content
Cyber MadeSimple
Get started
Legal

Privacy policy

CMS InfoSec Ltd (“we”, “us”), trading as Cyber Made Simple, operates this website and the Cyber Made Simple service (“the service”). We are a privacy-first and security-first organisation: we collect only what we need to run the product safely, protect personal data with appropriate technical and organisational measures, and give you clear choices and rights under UK law.

This policy explains what we process, why, how long we keep it, who we share it with, and what you can do about it. It applies to visitors, account holders and organisation administrators using the service. For our broader security and assurance posture, see Security & privacy compliance.

Controller. CMS InfoSec Ltd is the controller for personal data described here unless we tell you otherwise for a specific processing activity.

Contact. Privacy questions and requests: support@cybermadesimple.co.uk. General enquiries: hello@cybermadesimple.co.uk.

What we collect

Depending on how you use the service, we may process:

  • Account & profile — name, email address, authentication identifiers (for example Supabase user id), password handling via our auth provider (we do not store plaintext passwords), optional profile fields, organisation memberships, roles, and preferences you save in the product.
  • Organisation & billing — organisation name, billing contact details, subscription state mirrored from our payment provider, seat counts and similar account metadata. Card numbers and full payment credentials are processed by our regulated payment processor; we do not store full card numbers on our application databases.
  • Usage & product telemetry — pages and features you use, approximate timestamps, diagnostics needed to operate and secure the service (for example error fingerprints, rate limits), and content you create in the product (articles, tool outputs, training progress, etc.) tied to your account where applicable.
  • Communications — messages you send us (contact forms, support email), transactional email delivery metadata, and marketing preferences where you opt in.
  • Cookies and similar technologies — as described in our cookie controls and banner (strictly necessary cookies for sign-in; optional analytics or marketing categories where you consent).
  • Integration & API data — if you connect third-party services, we process the data needed to make that integration work and to meet security requirements (for example encrypted tokens where applicable).

Why we use it (lawful bases)

We rely on one or more of the following, depending on the activity:

  • Performance of a contract — to provide the service you signed up for, authenticate you, and manage billing where you are a customer.
  • Legitimate interests — to secure the platform, prevent abuse, improve the product, and run proportionate analytics, balanced against your rights.
  • Consent — where required (for example non-essential cookies or certain marketing channels), which you can withdraw via the cookie controls or unsubscribe links.
  • Legal obligation — where we must retain or disclose information for tax, accounting or regulatory reasons.

How we use and share personal data

We use personal data to:

  • Deliver, maintain and secure the service;
  • Authenticate users and enforce role-based access;
  • Process payments and subscriptions through our payment provider;
  • Send transactional email (security alerts, account notices, billing);
  • Send marketing email only if you opt in, with unsubscribe available;
  • Comply with law and defend legal claims where necessary.

We use subprocessors (such as cloud hosting, authentication, email and payment providers) who process data on our instructions under contract. We do not sell personal data in the sense of trading lists for unrelated third-party marketing.

International transfers

Our stack may involve providers in the UK, EEA or other regions. Where personal data leaves the UK, we rely on appropriate mechanisms recognised under UK data protection law (for example adequacy regulations or standard contractual clauses), in line with supplier terms at the time.

Retention

We keep personal data only as long as needed for the purposes above, including legal, accounting and dispute resolution. Account data is deleted when you use account deletion where available, subject to retention that the law requires (for example invoices). Aggregated or de-identified analytics may be kept longer.

Security

We implement administrative, technical and physical safeguards appropriate to the risk, including encryption in transit, access controls, secure development practices, and monitoring. See Security & privacy compliance for a higher-level overview — deliberately not exhaustive so as not to aid attackers.

Your rights

Under UK data protection law you may have the right to:

  • Access your personal data;
  • Rectify inaccurate data;
  • Erase data in certain circumstances;
  • Restrict or object to certain processing;
  • Data portability where applicable;
  • Withdraw consent where processing is based on consent;
  • Lodge a complaint with the ICO (ico.org.uk).

Signed-in users can use Account → Privacy & data to export or request deletion of their account data where the product supports it. For other requests, contact support@cybermadesimple.co.uk.

Children

The service is aimed at adults and organisations. We do not knowingly collect personal data from children without appropriate consent. If you believe we have done so, contact us and we will investigate promptly.

Changes

We may update this policy from time to time. We will change the “Last updated” date below and, for material changes, provide an additional notice where appropriate (for example in-product or by email).

Last updated: 2026-06-12